<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Configuring security in Elasticsearch | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'configuring-security.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/configuring-security.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/configuring-security.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/configuring-security.html" rel="nofollow" target="_blank">../en/configuring-security.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-node">Configuring security in Elasticsearch</span>
</div>
<div class="navheader">
<span class="prev">
<a href="elasticsearch-security.html">« Security overview</a>
</span>
<span class="next">
<a href="separating-node-client-traffic.html">Separating node-to-node and client traffic »</a>
</span>
</div>
<div class="chapter xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="configuring-security"></a>Configuring security in Elasticsearch<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/configuring-es.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>

<p>The Elasticsearch security features enable you to easily secure a cluster. You can
password-protect your data as well as implement more advanced security measures
such as encrypting communications, role-based access control, IP filtering, and
auditing. For more information, see
<a class="xref" href="elasticsearch-security.html" title="Security overview"><em>Overview</em></a>.</p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<p>Verify that you are using a license that includes the specific
security features you want.</p>
<p>For more information, see <a href="https://www.elastic.co/subscriptions" class="ulink" target="_top">https://www.elastic.co/subscriptions</a> and
<a href="https://www.elastic.co/guide/en/kibana/7.7/managing-licenses.html" class="ulink" target="_top">License management</a>.</p>
</li>
<li class="listitem">
Verify that the <code class="literal">xpack.security.enabled</code> setting is <code class="literal">true</code> on each node in
your cluster. If you are using basic or trial licenses, the default value is <code class="literal">false</code>.
For more information, see <a class="xref" href="security-settings.html" title="Security settings in Elasticsearch">Security settings</a>.
</li>
<li class="listitem">
If you plan to run Elasticsearch in a Federal Information Processing Standard (FIPS)
140-2 enabled JVM, see <a class="xref" href="fips-140-compliance.html" title="FIPS 140-2">FIPS 140-2</a>.
</li>
<li class="listitem">
<p><a class="xref" href="configuring-tls.html" title="Encrypting communications in Elasticsearch">Configure Transport Layer Security (TLS/SSL) for internode-communication</a>.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>This requirement applies to clusters with more than one node and to
clusters with a single node that listens on an external interface. Single-node
clusters that use a loopback interface do not have this requirement.  For more
information, see
<a class="xref" href="encrypting-communications.html" title="Encrypting communications"><em>Encrypting communications</em></a>.</p>
</div>
</div>
</li>
<li class="listitem">
If it is not already running, start Elasticsearch.
</li>
<li class="listitem">
<p>Set the passwords for all built-in users.</p>
<p>The Elasticsearch security features provide
<a class="xref" href="built-in-users.html" title="Built-in users">built-in users</a> to
help you get up and running. The <code class="literal">elasticsearch-setup-passwords</code> command is the
simplest method to set the built-in users' passwords for the first time.</p>
<p>For example, you can run the command in an "interactive" mode, which prompts you
to enter new passwords for the built-in users:</p>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell">bin/elasticsearch-setup-passwords interactive</pre>
</div>
<p>For more information about the command options, see <a class="xref" href="setup-passwords.html" title="elasticsearch-setup-passwords"><em>elasticsearch-setup-passwords</em></a>.</p>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<p>The <code class="literal">elasticsearch-setup-passwords</code> command uses a transient bootstrap
password that is no longer valid after the command runs successfully. You cannot
run the <code class="literal">elasticsearch-setup-passwords</code> command a second time. Instead, you can
update passwords from the <span class="strong strong"><strong>Management &gt; Users</strong></span> UI in Kibana or use the security
user API.</p>
</div>
</div>
</li>
<li class="listitem">
<p>Choose which types of realms you want to use to authenticate users.</p>
<div class="tip admon">
<div class="icon"></div>
<div class="admon_content">
<p>The types of authentication realms that you can enable varies according to
your subscription. For more information, see <a href="https://www.elastic.co/subscriptions" class="ulink" target="_top">https://www.elastic.co/subscriptions</a>.</p>
</div>
</div>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<a class="xref" href="active-directory-realm.html" title="Active Directory user authentication">Active Directory realms</a>
</li>
<li class="listitem">
<a class="xref" href="file-realm.html" title="File-based user authentication">File realms</a>
</li>
<li class="listitem">
<a class="xref" href="kerberos-realm.html" title="Kerberos authentication">Kerberos realms</a>
</li>
<li class="listitem">
<a class="xref" href="ldap-realm.html" title="LDAP user authentication">LDAP realms</a>
</li>
<li class="listitem">
<a class="xref" href="native-realm.html" title="Native user authentication">Native realms</a>
</li>
<li class="listitem">
<a class="xref" href="pki-realm.html" title="PKI user authentication">PKI realms</a>
</li>
<li class="listitem">
<a class="xref" href="saml-realm.html" title="SAML authentication">SAML realms</a>
</li>
</ul>
</div>
</li>
<li class="listitem">
<p>Set up roles and users to control access to Elasticsearch.</p>
<p>For example, to grant <em>John Doe</em> full access to all indices that match
the pattern <code class="literal">events*</code> and enable them to create visualizations and dashboards
for those indices in Kibana, you could create an <code class="literal">events_admin</code> role
and assign the role to a new <code class="literal">johndoe</code> user.</p>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell">curl -XPOST -u elastic 'localhost:9200/_security/role/events_admin' -H "Content-Type: application/json" -d '{
  "indices" : [
    {
      "names" : [ "events*" ],
      "privileges" : [ "all" ]
    },
    {
      "names" : [ ".kibana*" ],
      "privileges" : [ "manage", "read", "index" ]
    }
  ]
}'

curl -XPOST -u elastic 'localhost:9200/_security/user/johndoe' -H "Content-Type: application/json" -d '{
  "password" : "userpassword",
  "full_name" : "John Doe",
  "email" : "john.doe@anony.mous",
  "roles" : [ "events_admin" ]
}'</pre>
</div>
</li>
<li class="listitem">
<p><a id="enable-auditing"></a>(Optional) Enable auditing to keep track of attempted and
successful interactions with your Elasticsearch cluster:</p>
<div class="tip admon">
<div class="icon"></div>
<div class="admon_content">
<p>Audit logging is available with specific subscriptions. For more
information, see <a href="https://www.elastic.co/subscriptions" class="ulink" target="_top">https://www.elastic.co/subscriptions</a>.</p>
</div>
</div>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<p>Add the following setting to <code class="literal">elasticsearch.yml</code> on all nodes in your cluster:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">xpack.security.audit.enabled: true</pre>
</div>
<p>For more information, see <a class="xref" href="auditing.html" title="Audit logging">Audit logging</a> and <a class="xref" href="auditing-settings.html" title="Auditing security settings">Auditing settings</a>.</p>
</li>
<li class="listitem">
Restart Elasticsearch.
</li>
</ol>
</div>
<p>Events are logged to a dedicated <code class="literal">&lt;clustername&gt;_audit.json</code> file in
<code class="literal">ES_HOME/logs</code>, on each cluster node.</p>
</li>
</ol>
</div>
<p>To walk through the configuration of security features in Elasticsearch, Kibana, Logstash, and Metricbeat, see <a class="xref" href="security-getting-started.html" title="Tutorial: Getting started with security"><em>Tutorial: Getting started with security</em></a>.</p>



</div>
<div class="navfooter">
<span class="prev">
<a href="elasticsearch-security.html">« Security overview</a>
</span>
<span class="next">
<a href="separating-node-client-traffic.html">Separating node-to-node and client traffic »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>